Date: Tue, 08 Apr 2003 22:22:49 -0400 From: Bill Moran <wmoran@potentialtech.com> To: Chris Miller <ctodd@netgate.net> Cc: freebsd-questions@freebsd.org Subject: Re: Questions about patches Message-ID: <3E9383F9.5020102@potentialtech.com> In-Reply-To: <Pine.BSI.4.44L.0304081728340.9915-100000@rs.netgate.net> References: <Pine.BSI.4.44L.0304081728340.9915-100000@rs.netgate.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Chris Miller wrote: > In the FreeBSD world however (feel free to jump in and set me straight > here) patches seem to only be released for core OS components based solely > on CERT advisories. These patches often (but not always) need to be > applied to the source tree by running several commands and then by running > make world just as upgrading the OS. For example, FreeBSD-SA-03:06.openssl > required the whole OS be rebuilt rather than replacing the affected > components, whereas FreeBSD-SA-03:07.sendmail was supplied in binary > format. > > I intend on running a "build" server to which all other servers will NFS > mount to perform OS upgrades, but I'd prefer not to have to do this for > every advisory. This works well. You can run the buildworld/buildkernel on the build server and then simply installworld/installkernel on the production servers ... the down time on the production servers is very minimal as a result. Generally less than 15 minutes each (in my experience). > I've scoured the FreeBSD site and other resources for a > couple of days, but I've found no binary way of patching the OS as I'm > accustomed to doing with BSD/OS and RedHat. So my first question is; > Is/will there be a better method of patching the core OS in the future > that addresses only the affected components? Don't have an answer there. Jump in and make specific suggestions, if you come up with something that sounds interesting to enough people, you're likely to be the impetus for a new project that improves FreeBSD! > Now on to the ports and packages. The maintainers of the ports collection > appear to do a good job of quickly patching software in the ports > collection, but rarely is an announcement made to the list (at least to > any of the freebsd lists I subscribe to) which makes it difficult to > determine when something has been in fact patched. New packages are > released soon after in most cases, but often run several releases behind > what is current, ruling out pkg_add as an option. As far as I know, packages are only updated when releases are cut, but ports are updated all the time. > Unfortunately patching a given port (with dependancies) seems to require > updating the entire ports tree to the latest versions, then compiling and > installing. In some instances we may want to apply a patch to an existing > version of an application rather than update it, but this is not possible > most of the time. From what I can surmise, the proceedure for patching > applications in a multi server environment is to update the ports tree and > to build/install/test these on a build server, and then package them up > and install them remotely via pkg_add. Questions; 1. Is this the best way > to apply patches to applications? I think so. > 2. Are there any plans to provide a > better notification system when applications are patched similar to what > RedHat has done with Bugzilla? Check out freshports ... which allows you to tag ports for monitoring and will notify you when they are changed. Otherwise ... monitor the announce lists for the software you use to keep on top of it and bug the port maintainer if things get too far behind (although ports tend to stay pretty updated). www.freshports.org > If there's a better list to send this to, let me know. I think you're in the right place. -- Bill Moran Potential Technologies http://www.potentialtech.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E9383F9.5020102>